SANS ISC InfoSec Forums

Last week I read an interesting article stating the PC is no longer the office primary device for accessing the Internet. With the influx of mobile devices into the enterprise, it is becoming more difficult to enforce corporate policies that are centrally managed. A recent survey by McAfee across "[...] 14 nations show 21% of companies have no restrictions on use of personal mobile devices, while 58% have lightweight policies, and only 20% have stringent guidelines.[2]" Each of these devices have different OS, software installed and ways of securing them (or none at all). If these devices aren't centrally controlled and have access to everything in the enterprise, it will become a "gold mine" for those looking for an easy to pick "low hanging fruit".

A recent study indicates that "Mobile internet traffic is set to grow 400% by 2015"[3] and the bulk will be in video consumption. Wireless carriers are starting to offer Long Term Evolution (LTE) devices (i.e. rocket stick) that are potentially capable of supporting speed up to 75 Mbps, crown jewels (i.e. source code) can be transferred quickly out of a corporate network. For example, Google Android and the Apple iOS [4] have already been targeted by cyberthieves. Government agencies are starting to provide hardening guide; for example, Australia's DSD just released a guide to harden the iOS 4 devices [5]. Incident Response will also become more complex if a mobile device has been compromised and is not owned by the enterprise. I can see Network Forensics becoming a crucial tool to aid reconstructing the events that lead to an incident.

Last year ISC posted a survey on "What is your biggest fear with Mobile Devices in your enterprise?"[6] and almost 50% of the respondent answered "Monitoring for information leak" followed with about 20% having issues with "Wireless access".If you don’t mind sharing, we would like to hear from you our readers, how your organization is currently dealing with Mobile Devices.

What I find interesting about Australia's "iOS Hardening Configuration Guide" is that there's NO mention of the fact that once an attacker has physical access to the device, well..."all ur passwords r belong to us." Jailbreaking an iPhone renders the passcode lock useless and saved passwords - such as email, social network sites, etc. - are seen in plain text. Granted, it takes a little techie know-how, but in less then 10 minutes it can be done. On top of that, other then the passcode lock encrypion (which is rendered useless after a simple jailbreak) there's no mention of any other data encryption. Perhaps that's why they have only allowed these devices to be used for UNCLASSIFIED data.

Don't get me wrong -- I love my iPhone, but Apple still has a ways to equal the security of my Blackberry.

Yes, mobile devices are replicating faster than rabbits on Viagra. One solution that has been “ok” is the implementation of MobileIRON. This product does a fair job of controlling IOS devices but not so good on the Android side of the fence. Policies force password complexity, govern app installation, tracking the physical location, remote wipe and (I use the term) sandbox crypto to ensure the data is protected at rest. Here is the problem that I am facing. Corporations that have implemented this technology, have not adopted the iPhone as the Corporate Standard thus replacing slowly replacing RIM. They are saving a buck or two and not procuring the hardware, just the allowing users to “connect” as long as they agree to terms. However, the terms are not spelled out for the employee to understand that the company can look on a map and see where the phone is physically located. I have personally seen an evil Boss look up the phones location when the employee calls is sick in order to “verify” they are home. The implications are huge when we start talking about a personal device being used for business. Privacy may be a thing of the past.

We recently implemented a separate wifi-based LAN that is external to the corporate LAN, but is NATted behind a simple firewall. The original purpose was to solve a problem with not being able to specify a non-standard MTU on iPads, but now it is used for iPads, Blackberries, and laptops.

Getting these devices directly on the corporate LAN where the desktops and "crown jewels" live requires special assess, controlled by password and MAC address. Most mobile activity now takes place on the new mobile LAN, as users can use vnc to get to desktop machine, so the crown jewels stay in the palace, even if they need to be looked at or worked on.

We are dealing with this at our company as well. Up until recently, all personal devices can be used to get email, vpn...etc. We finally took the first in a series of baby steps by introducing a written policy around personal (smartphone) devices. It was very cut and dry, in that users of personal mobile devices using activesync would be required to agree to the activesync policy. This included passcode lock (we determined 6 digits...not 6 alpha numerics, more on that in a sec), remote wipe, and encryption. Obviously, this is very limited to certain devices. Droid doesnt allow a lot of what activesync has. What we found, was a huge uproar in the employees, mainly the developers. It was really all related to passcode, and that it severely impairs productivity. Back to the 6 digits...can you imagine the uproar if we did 6 alphanumerics. So we have been taking all the feedback and the business still sides with the security team, that its not really productivity loss, its principal. People dont like personal devices under the control of someone else. They dont understand the business side.

But the business , at least out company, caters to the employee badly. It's all about innovation here, not standing in the ways of getting things done faster and better. As you can imagine thats difficult for security. So, we started to look at MDM solutions. For the most part all of them are the same, a gateway device that leveerages and improves on activesync (i.e. MobileIRON, Sophos). They are better than native activesync, but the same issues will impact the employees. So then we proof of concepted GOOD here. This solves those complaints by having an app installed, that is protected with passcode and is an encrypted "sand box" of just corporate data. GOOD...is Good. It's not great. It has many flaws, like its dog slow. The email interface doesnt fully replicate the native one (i.e. no nested emails like native iOS email app). I personally find a productivity hit by using GOOD. It can take up to 10 seconds to decrypt the data on app launch depending on other running processes. It also doesnt grab email as fast (push/pull). I get a LOT of email in 1 hour, it can take up to 60 seconds to download all the mail if i dont check it every hour, or forget to leave it running in the background. To unlock the natice lock screen, then to unlock the corporate GOOD app, and wait up to 1-2 minutes sometimes to get my corporate data isnt fun. Plus, the device is designed to correlate all this email into one app, now its seperated.

Mobile protection in the corporate world is going to be VERY difficult if you allow any personal device. The best way is to only allow a corporate statndard, and that standard has xyz policy that the employee must be bound and agree to. I see no other way.

We quickly decided that personal devices will NEVER be used for business purposes, or touch company assets... portable or home. As an employee, I do not want my personal property subject to discovery or seizure due to a company screw up etc... but more so as an admin, I do not want my company servers / assets subject to discovery or seizure due to some employee's family member. When John Law shows up... if user's personal stuff is co-mingled with company stuff, Law has shown little to no concern in terms of what they will wheel out the door.

Absolutely need a standard and policy. But you also need to mitigate the 12year old running this week's AnonOps App on hardware that may have placed evidence within your scope. Backups, contacts, logs... they don't use discovery motions, even when they know there will be several thousand collateral victims.

I totally hear you, and I agree. The company doesnt agree though. It's so easy to let the employee assume the cost of the device, and pretty much let them assume the support of the device, but let them use the tools of the device to "make the company money". There is no way in hell the company would say no to personal devices. That could (it can be measured) cause a huge loss of profit and productivity here.

No one wants to carry 2 devices either, so using a corporate standard device doesnt help. It's also been argued that the corporate standard, which is the blackberry, can't do a fraction of the stuff iOS and Droid can do.

It all depends on the business I guess, but the its all the same goal. Mobile Device security is going to be huge in the coming couple years, and its going to take a major incident or breach that can be officially linked to a compromised personal smartphone on a corporate network to wake companies up.